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CLAIMS: 

1 . A method for organizing alerts into alert classes, both the alerts and alert classes 
having a plurality of features, the method comprising the steps of: 

(a) receiving a new alert; 

(b) identifying a set of potentially similar features shared by the new alert and one 
or more existing alert classes; 

(c) updating a minimum similarity requirement for one or more features; 

(d) updating a similarity expectation for one or more features; 

(e) comparing the new alert with one or more alert classes, and either: 

(fl) associating the new alert with the existing alert class that the new alert most 
closely matches; or 

(£2) defining a new alert class that is associated with the new alert. 

2. The method of claim 1 further comprising the step (al) of passing each existing alert 
class through a transition model to generate a new prior belief state for each alert class. 

3. A method for organizing alerts having a plurality of features, each feature having one 
or more values, the method comprising the steps of: 

(a) generating a group of feature records for a new alert, each feature record 
including a list of observed values for its corresponding feature; 

(b) identifying a set of potentially similar features shared by the new alert and one 
or more existing alert classes that are associated with previous alerts; 

(c) comparing the new alert to one or more alert classes; 

(d) rejecting a match if any feature for which a minimum similarity value has 
been set fails to meet or exceed the minimum similarity value; 

(e) adjusting the comparison by an expectation that certain feature values will or 
will not match, and either: 

(fl) associating the new alert with the existing alert class that the new alert most 
closely matches; or 

(fi2) defining a new alert class that is associated with the new alert. 
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15 4. In an intrusion detection system that includes a plurality of sensors, each of which 

16 generates alerts when attacks or anomalous incidents are detected, a method for organizing 

17 the alerts comprising the steps of: 

18 (a) receiving an alert; 

19 (b) identifying a set of features that may be shared by the received alert and one 

20 or more existing alert classes; 

21 (c) setting a minimum similarity value for one or more features or feature groups; 

22 comparing the new alert to one or more of the alert classes, and either: 

23 (dl) defining a new alert class that is associated with the received alert if any 

24 feature or feature group that has a minimum similarity value fails to meet or exceed its 

25 minimum similarity value; or 

O 26 (d2) associating the received alert with the existing alert class that the received 

yg. 27 alert most closely matches. 

:$» 

1 5. A method for organizing alerts into alert classes, both the alerts and alert classes 

O 2 having a plurality of features, the method comprising the steps of: 
s . 3 (a) receiving a new alert; 

:^ 4 (b) identifying a set of potentially similar features shared by the new alert and one 

y 5 or more existing alert classes; 

l«l 6 (c) updating a minimum similarity requirement for one or more features; 

^ 7 (d) comparing the new alert with one or more alert classes, and either: 

8 (el ) associating the new alert with the existing alert class that the new alert most 

9 closely matches; or 

10 (e2) defining a new alert class that is associated with the new alert. 

1 6. A method for organizing alerts having a plurality of features, each feature having one 

2 or more values, the method comprising the steps of: 

3 (a) generating a group of feature records for a new alert, each feature record 

4 including a list of observed values for its corresponding feature; 

5 (b) identifying a set of potentially similar features shared by the new alert and one 

6 or more existing alert classes that are associated with previous alerts; 

7 (c) comparing the new alert to one or more alert classes; 
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(d) rejecting a match if any feature for which a minimum similarity value has 
been set fails to meet or exceed the minimum similarity value, and either: 

(el) associating the new alert with the existing alert class that the new alert most 
closely matches; or 

(e2) defining a new alert class that is associated with the new alert. 
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